Solved: private vlan promiscuous trunk with classic vlans

mario.jost · ‎01-26-2021

We are working on using private vlans with a new firepower device in our DMZ. As you know, firepower does not support private vlans. So we want to use the promiscious trunk feature on the nexus 9300 to reach our goal. Before, we just had a normal trunk with some vlans:

interface port-channel100
  description firepower LACP
  switchport mode trunk
  mtu 9216
  vpc 100

vlan 10
vlan 20
vlan 30
vlan 40

the communication for all vlans worked great. Now we changed the configuration on our nexus like follows:

interface port-channel100
  description firepower LACP
  switchport mode private-vlan trunk promiscuous
  switchport private-vlan trunk allowed vlan 1-3967
  switchport private-vlan mapping trunk 20 21-22
  switchport private-vlan mapping trunk 30 31-32
  mtu 9216
  vpc 100
vlan 10
vlan 20
  private-vlan primary
  private-vlan association 21-22
vlan 21
  private-vlan isolated
vlan 22
  private-vlan community
vlan 30
  private-vlan primary
  private-vlan association 31-32
vlan 31
  private-vlan isolated
vlan 32
  private-vlan community
vlan 40

So now, all the private Vlans are working fine. We tested VMs in the isolated and community vlans, and everything worked as expected. But the old classic non private vlans (10 & 40) are not working anymore. What are we missing?

mario.jost · ‎01-26-2021

It turns out, that the line

switchport private-vlan trunk allowed vlan 1-3967

fixed it for us. I was just too impatient. After 10min (as i was creating this post) all classic vlans were just working again.

View solution in original post

mario.jost · ‎01-26-2021

It turns out, that the line

switchport private-vlan trunk allowed vlan 1-3967

fixed it for us. I was just too impatient. After 10min (as i was creating this post) all classic vlans were just working again.